A while ago someone sent me an interesting problem: the moment he enabled simple MPLS in his enterprise network with ip mpls interface configuration commands, numerous web applications stopped working. My first thought was “MTU problems” (the usual culprit), but path MTU discovery should have taken care of that.

As it turned out, reduced MTU caused by the MPLS header was the problem, but the usual suspect (a sloppily-configured firewall) was not to blame. Following (possibly outdated) best practices found on the Internet someone configured no ip unreachables on most router interfaces. Fragmentation neededICMP packets were considered to belong to the same bunch and thus the edge routers quietly dropped the packets they could not send into the MPLS core.

Tangential notes

The web servers should have discovered that the path MTU discovery (pMTUd) had been broken, but obviously the operating system they were using didn’t support RFC 4821 (Packetization Layer Path MTU Discovery).

One of the reasons one might have had to disable IP unreachables in the past was to protect the router’s control plane. ICMP packets are usually generated by the router’s CPU; before you could rate-limit them it’s been quite easy to overwhelm a router with packets triggering ICMP replies. With the ip icmp rate-limit unreachables command you can set different limits for fragmentation needed packets and other unreachables.

Ivan Pepelnjak, CCIE#1354 Emeritus, is an independent network architect. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.

The author

Ivan Pepelnjak (CCIE#1354 Emeritus), Independent Network Architect at ipSpace.net,
has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced internetworking technologies since 1990.